11 matches found
CVE-2026-29050
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...
CVE-2026-29050
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...
melange 路径遍历漏洞
Melange is a software developed by Chainguard for building APKs from source code. Versions of Melange from 0.32.0 to 0.43.4 had a path traversal vulnerability. This vulnerability stemmed from insufficient validation of the pipeline.uses parameter, allowing attackers to read arbitrary YAML files a...
CVE-2026-29050
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...
CVE-2026-29050 melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...
CVE-2026-29050
CVE-2026-29050 – melange path traversal : Affected versions: 0.32.0 through before 0.43.4. An attacker who can influence a melange configuration file (e.g., via PR-driven CI or build‑as‑a‑service) could set pipeline[].uses to absolute paths or include “..”, which were passed to filepath.Join with...
CVE-2026-29050 melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...
GHSA-98F2-W9H9-7FP9 melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
Impact An attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a value containing ../ sequences or an absolute path. The Compiled.compilePipeline function in pkg/build/compile.go passed us...
EUVD-2026-25355
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline.uses...
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses
Impact An attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a value containing ../ sequences or an absolute path. The Compiled.compilePipeline function in pkg/build/compile.go passed us...
PT-2026-34803
Name of the Vulnerable Software and Affected Versions melange versions 0.32.0 through 0.43.3 Description An attacker capable of influencing a configuration file, such as in build-as-a-service or pull-request-driven CI scenarios, can manipulate the pipeline.uses variable to include absolute paths ...